Urgent Zero-Day Warning: SonicWall VPNs Under Attack, Akira Ransomware Deployed Within Hours
Do Son 
Huntress has issued a critical alert about what appears to be a zero-day vulnerability in SonicWall Secure Mobile Access (SMA) VPN appliances, which is being actively exploited to bypass multi-factor authentication (MFA), gain domain-level access, and deploy Akira ransomware within hours of initial compromise.
βThis is a critical, ongoing threat,β Huntress warns. βWeβre seeing threat actors pivot directly to domain controllers within hours of the initial breach.β
The advisory follows a surge in high-severity incidents observed by Huntressβs Security Operations Center (SOC) starting July 25, in cooperation with other security vendors including Arctic Wolf and Sophos. The consistency, speed, and success of the intrusionsβeven in environments where MFA was enabledβstrongly suggest exploitation of an unpatched vulnerability in SonicWallβs VPN services.
The observed attack flow is consistent. It begins with compromise of the SonicWall appliance itself, followed by immediate post-exploitation activity leveraging tools like PowerShell, WMI, and credential-stealing scripts. Once in, attackers:
- Abuse over-privileged service accounts (e.g., sonicwall, LDAPAdmin) to gain administrative access
- Establish persistence with Cloudflared tunnels, OpenSSH, or even remote management tools like AnyDesk
- Lateral movement using Windows management tools and credential dumping from Veeam databases and Active Directory
- Disable security tools using built-in Windows functions (e.g., Set-MpPreference, netsh)
- Deploy ransomware by deleting shadow copies with vssadmin.exe and invoking Akira ransomware
βWeβve seen them deploy Cloudflared tunnels and OpenSSH, often staged out of C:\ProgramData. This gives them a durable backdoor into the network,β the report states.
The attacks are fast, sometimes progressing from breach to full ransomware deployment within a few hours. But whatβs more troubling is the adaptive nature of each incident.
βIt is apparent that some of these attackers have at least part of the same playbook, or that they are adaptive to whatever situations they happen to encounter.β
Huntress reports at least 20 distinct attacks tied to this threat, each leveraging a mix of:
- Network reconnaissance tools: Advanced IP Scanner, Port Scanners, nltest.exe
- Staging and exfiltration: WinRAR archives and FileZilla used to compress and move stolen data
- Persistence: Creation of new user accounts (net user backupSQL Password123$ /add), registry modifications, and installation of remote access tools
- Firewall and Defender evasion: Using commands like DisableEnhancedNotifications and New-NetFirewallRule to keep paths open and defenses down
βAttackers used brute-forced RDP sessions, LOLBins, and even scripts to steal browser-stored credentials and dump Active Directory databases for offline cracking.β
Huntress recommends urgent action for all organizations using SonicWall VPNs:
- Disable SSL VPN Access on SonicWall appliances immediately.
- If VPN access is critical, restrict access to a strict allow-list of trusted IP addresses.
- Audit and restrict service accountsβensure they are not domain admins.
- Hunt for Indicators of Compromise (IOCs) using file paths, registry edits, and known persistence mechanisms.
Related Posts:
- Akira Ransomware Now Uses APT-Style Tactics to Breach Corporate Networks
- ScreenConnect Abuse: Hackers Leverage Remote Access Tool for Healthcare Intrusion
- Hackers Exploit Foundation Software, Exposing Sensitive Contractor Data
- Akira Ransomware: The New Threat Targeting Windows & Linux
- Akira Ransomware Adapts to Target Linux and VMware ESXi Servers
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
